Static analysis security scanner for Ruby on Rails

Ignoring False Positives

False positives (warnings about potential vulnerabilities which are not actual vulnerabilities) are present in any security tool. Before ignoring a false positive, be certain it is actually a false positive and also consider reporting it in case changes can be made to Brakeman to prevent the false positive in the future.

The ignore configuration is a JSON file containing a list of warnings. This is essentially the same as the JSON report, except the warnings can also have a note field.

A minimal configuration might look like this, although the auto-generated one will have more information:

After stepping through the warnings, Brakeman will ask if the changes should be saved:

1. Save changes
2. Start over
3. Quit, do not save changes
?

Enter 1 to save the changes to a file. Enter 2 to step through the warnings again. Enter 3 to not save any changes.

For option 1, Brakeman will ask where to save the file. The default config/brakeman.ignore is recommended.

After that, the scan report will be generated, with the specified warnings ignored.

Specifying an Ignore File

By default, Brakeman will look in the config directory of the application being scanned for a file named brakeman.ignore. If this file exists, it will automatically be loaded and used.

Otherwise, the location of the configuration file can be set using -i or --ignore-config with the file name, relative to the root of the Rails application.

When Warnings are Ignored

JSON reports include an array of ignored_warnings, HTML reports have a table of ignored warnings which is hidden by default, and the basic text output will include the number of warnings ignored, if any.